Skip to content, sitemap or skip to search.

FSF 30th anniversary logo
Personal tools
Join now
You are here: Home Blogs Community Tell Lenovo: respect user freedom and prevent future Superfishes

Tell Lenovo: respect user freedom and prevent future Superfishes

by Zak Rogoff Contributions Published on Feb 20, 2015 03:55 PM
Security experts have discovered a highly threatening vulnerability in software preinstalled on some Windows computers manufactured by Lenovo through January 2015. Extreme negligence on the part of Lenovo and unscrupulous programming by its adware partner Superfish seem to have caused the vulnerability.

The basis of the problem is a program by Superfish that is designed to interject advertisements into users' Web browsing. That's irritating, but it gets worse. Superfish also installs a certificate that intercepts Web traffic and cripples the host computer's ability to use HTTPS to validate the authenticity of Web sites. This leaves an open door for attackers to use fake versions of sites that should be secure -- like bank Web sites -- to steal personal information. You can read more about the vulnerability at Ars Technica.

Whenever you use proprietary software like Windows or Superfish, true, trustable, verifiable security is always out of reach. Because proprietary code can't be publicly inspected, there's no way to validate its security. Users have to trust that the code is safe and works as advertised. Since proprietary code can only be modified by the developers who claim to own it, users are powerless to choose the manner in which security bugs are fixed. With proprietary software, user security is secondary to developer control.

Recent high-profile security vulnerabilities in free software, like Heartbleed and POODLE, were created when well-intentioned developers made mistakes that were difficult to detect. But this is different -- Lenovo and Superfish caused a massive security breach for the sake of expedience in generating ad revenue.

These companies have shown such blatant disregard for the public trust that they will have to work hard to restore it. Lenovo should work with a third party committed to the public interest -- like the Free Software Foundation -- to create and sell laptops that are certified to respect user freedom and come with a preinstalled free operating system. Join us in calling for this change on social media (see our recommendations for social media platforms).

Microblog about Lenovo's Superfish vulnerability.

Regardless of what Lenovo does, you can minimize your risk of exposure to Superfish and similar threats by uninstalling proprietary operating systems and using a free GNU/Linux distribution signed by a source you trust. If you are interested in a new computer, the FSF currently certifies two retail laptops that come with no proprietary software through our Respects Your Freedom program, and you can build your own free software-friendly computer with guidance from the community-maintained hardware database h-node.

If you have used a Lenovo computer running Superfish, make sure to reset any passwords you use on the Web, as they may have been intercepted.

Document Actions

The FSF is a charity with a worldwide mission to advance software freedom — learn about our history and work. is powered by:


Send your feedback on our translations and new translations of pages to